There is currently no way of authenticating webhooks. While IP whitelisting could work, it is fragile and cumbersome to maintain a list of allowed IP addresses (even if said list is available through an API).

A simple & proven way of authenticating any kind of payload is to join an HMAC signature with the payload.

All is required is a shared secret between Bitbucket and the webhook receiver. We should be able to provide said secret on the webhook configuration page (and the API). Then, Bitbucket sends the webhook with the computed HMAC (in a header or within the payload) so that the receiver can check it.

Please note that this feature is already implemented by Github.